You can never assume any method is 'safe' but think about it, with GET variables, the variable name and value are both openly displayed in the address bar. at least using POST you make them work for it a little bit. You can also verify the referer, etc to prevent cross site scripting, and make sure that fields can't be changed etc. It's impossible to prevent every possible way that form data can be abused, but $_REQUEST should never be used, and $_GET should only be used when you're sure the data can't be misused.